Control plane encryption in IP/MPLS networks

ABSTRACT

A method for providing control plane encryption in layer 3 networks is disclosed. The method for providing control plane encryption in layer 3 networks includes for a network having a subset of network elements forming a secured domain; the steps of at a network element which is in the secured domain, encrypting all unencrypted Layer 3 packets as they egress an encryption enable egress interface; unencrypting all encrypted Layer 3 packets as they egress an egress interface is not enabled for encryption; and leaving encrypted all encrypted Layer 3 packets as they egress an encryption enable egress interface. A system and machine readable storage media are also disclosed.

FIELD OF THE INVENTION

The invention relates to the use of encryption of network traffic, andin particular to encryption of all user and control plane traffictraversing all nodes in a secure domain of a network.

BACKGROUND OF THE INVENTION

Traditional encryption on the Internet, such as that provided byInternet Protocol Security (IPsec), a protocol suite for securingInternet Protocol (IP) communications by authenticating and encryptingeach IP packet of a communication session and which also includesprotocols for establishing mutual authentication between agents at thebeginning of the session and negotiation of cryptographic keys to beused during the session, is intended for providing users with securityfor sensitive data and applications. IPsec was designed forauthenticating and encrypting IP packets between two devices e.g.routers, in a point-to-point fashion by establishing an encryptiontunnel between those routers. IPsec was not designed for network levelencryption and security between a multitude of routers communicatingtogether and between one another simultaneously without establishing afull mesh of IPSec tunnels between routers. Creating full meshes ofIPSec tunnels for inter-nodal encrypted traffic is cumbersome andinefficiently uses network and router precious resources. IPSec andother prior art solutions also do not provide encryption andauthentication security for IP/MPLS control plane traffic (such as OSPF,BGP, RIP, RSVP-TE, LDP, and similar protocols) used in an IP/MPLSnetwork to establish routing and signaling between nodes.

Commonly used encryption standards include: DES (Data EncryptionAlgorithm); 3DES (Triple Data Encryption Algorithm); Blowfish (Blowfishsymmetric key block cipher standard); Twofish (Twofish symmetric keyblock cipher standard); Serpent (Serpent symmetric key block cipherstandard); SNOW 3G (SNOW stream cipher standard); Kasumi-F8 (Kasumi-F8block cipher); AES-128 (Advanced Encryption Standard 128 bit key);AES-192 (Advanced Encryption Standard 192 bit key); and AES-256)Advanced Encryption Standard 256 bit key).

The US Congress and Senate are requiring utility companies to expandinvestment in cyber-security to protect the evolving “Smart Grid”. Aswell, North American Electric Reliability Corporation (NERC) Standardsdefined national standards for security through NERC-CIP (NERC CriticalInfrastructure Protection) requirements, of whichencryption/authentication is an important aspect. Likewise, similarrequirements are appearing worldwide for corresponding applications, forexample, specifications and requirements through the IEC (InternationalElectrotechnical Commission).

It would be useful to have an efficient method which could encrypt allroutable IP packets traversing the network including user and controlplane traffic using a single method for both types of traffic, where IProuting is maintained for individual traffic flows as would be expectedbefore encryption and authentication was applied.

SUMMARY OF THE INVENTION

It is an object of the invention to provide an efficient method ofencrypting all IP packets traversing the network including user andcontrol plane traffic using a single method for both types of traffic,where IP routing is maintained for individual traffic flows as would beexpected before encryption and authentication was.

According to a first aspect of the invention there is provided a methodof encrypting data for a network having a plurality of network elements,each of the plurality of network elements having a connection between arespective ingress interface to a respective egress interface of anothernetwork element of the plurality of network elements; and a subset ofthe plurality of network elements having a secured domain; the methodhaving the steps of: at a first network element which is a member of thesubset of network elements, encrypting all Layer 3 packets that werereceived on an ingress interface that had encryption disabled on thatinterface as they egress an egress interface wherein the egressinterface is enabled for encryption; at the first network element,unencrypting all Layer 3 packets as they egress an egress interfacewherein the egress interface is not enabled for encryption and theingress interface was enabled for encryption; and at the first networkelement, leaving encrypted all encrypted Layer 3 packets as they egressan egress interface wherein the egress interface is enabled forencryption and the ingress interface where said packets where receivedwas also enabled for encryption.

In some embodiments of this aspect of the invention the encrypting isassociated with an encryption protocol that is one of the group of DES,3DES, Blowfish, Twofish, Serpent, SNOW 3G, Kasumi-F8, AES-128, AES-192,and AES-256.

According to another aspect of the invention there is provided a systemfor providing a secured domain, having: a plurality of network elements,each of the plurality of network elements having a connection between arespective ingress interface to a respective egress interface of anothernetwork element of the plurality of network elements; a subset of theplurality of network elements having the secured domain; a first networkelement which is a member of the subset of network elements, whichencrypts all unencrypted Layer 3 packets as they egress a respectiveegress interface wherein the egress interface is enabled for encryption;the first network element further unencrypting all encrypted Layer 3packets as they egress a respective egress interface wherein the egressinterface is not enabled for encryption; and the first network elementleaving encrypted all encrypted Layer 3 packets as they egress arespective egress interface wherein the egress interface is enabled forencryption.

In some embodiments of this aspect of the invention the encrypting isassociated with an encryption protocol that is one of the group of DES,3DES, Blowfish, Twofish, Serpent, SNOW 3G, Kasumi-F8, AES-128, AES-192,and AES-256.

According to yet another aspect of the invention there is provided anon-transitory machine readable storage medium encoded with instructionsfor execution by a processor at a first network element for a networkhaving a plurality of network elements, each of the plurality of networkelements having a connection between a respective ingress interface to arespective egress interface of another network element of the pluralityof network elements; and a subset of the plurality of network elementshaving a secured domain; and the first network element a member of thesubset, the medium having: instructions for encrypting all unencryptedLayer 3 packets as they egress an egress interface of the first networkelement in the event the egress interface is enabled for encryption;instructions for unencrypting all encrypted Layer 3 packets as theyegress an egress interface of the first network element in the event theegress interface is not enabled for encryption; and instructions forleaving encrypted all encrypted Layer 3 packets as they egress an egressinterface of the first network element in the event the egress interfaceis enabled for encryption.

In some embodiments of this aspect of the invention the encrypting isassociated with an encryption protocol that is one of the group of DES,3DES, Blowfish, Twofish, Serpent, SNOW 3G, Kasumi-F8, AES-128, AES-192,and AES-256.

Note: in the following the description and drawings merely illustratethe principles of the invention. It will thus be appreciated that thoseskilled in the art will be able to devise various arrangements that,although not explicitly described or shown herein, embody the principlesof the invention and are included within its spirit and scope.Furthermore, all examples recited herein are principally intendedexpressly to be only for pedagogical purposes to aid the reader inunderstanding the principles of the invention and the conceptscontributed by the inventor(s) to furthering the art, and are to beconstrued as being without limitation to such specifically recitedexamples and conditions. Moreover, all statements herein recitingprinciples, aspects, and embodiments of the invention, as well asspecific examples thereof, are intended to encompass equivalentsthereof.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be further understood from the followingdetailed description of embodiments of the invention, with reference tothe drawings in which like reference numbers are used to represent likeelements, and:

FIG. 1 illustrates an exemplary network having a secure domain for usertraffic therein according to an embodiment of the invention

FIG. 2 illustrates another exemplary network having a secure domain forcontrol plane traffic according to an embodiment of the;

FIG. 3 a illustrates an exemplary encrypted Layer 3 packet having anEthernet header according to an embodiment of the invention;

FIG. 3 b illustrates an exemplary encrypted Layer 3 packet having an IPheader according to an embodiment of the invention; and

FIG. 4 illustrates a block diagram of a network equipment processorassembly according to an embodiment of the invention.

DETAILED DESCRIPTION

In the following description, numerous specific details are set forth.However, it is understood that embodiments of the invention may bepracticed without these specific details. In other instances, well-knowncircuits, structures and techniques have not been shown in detail inorder not to obscure the understanding of this description. It will beappreciated, however, by one skilled in the art that the invention maybe practiced without such specific details. In other instances, controlstructures, gate level circuits and full software instruction sequenceshave not been shown in detail in order not to obscure the invention.Those of ordinary skill in the art, with the included descriptions, willbe able to implement appropriate functionality without undueexperimentation.

References in the specification to “one embodiment”, “an embodiment”,“an example embodiment”, etc., indicate that the embodiment describedmay include a particular feature, structure, or characteristic, butevery embodiment may not necessarily include the particular feature,structure, or characteristic. Moreover, such phrases are not necessarilyreferring to the same embodiment. Further, when a particular feature,structure, or characteristic is described in connection with anembodiment, it is submitted that it is within the knowledge of oneskilled in the art to effect such feature, structure, or characteristicin connection with other embodiments whether or not explicitlydescribed.

In the following description and claims, the terms “coupled” and“connected,” along with their derivatives, may be used. It should beunderstood that these terms are not intended as synonyms for each other.“Coupled” is used to indicate that two or more elements, which may ormay not be in direct physical or electrical contact with each other,cooperate or interact with each other. “Connected” is used to indicatethe establishment of communication between two or more elements that arecoupled with each other.

The techniques shown in the figures can be implemented using code anddata stored and executed on one or more electronic devices (e.g., anetwork element). Such electronic devices store and communicate(internally and with other electronic devices over a network) code anddata using machine-readable media, such as machine storage media (e.g.,magnetic disks; optical disks; random access memory; read only memory;flash memory devices) and machine communication media (e.g., electrical,optical, acoustical or other form of propagated signals—such as carrierwaves, infrared signals, digital signals, etc.). In addition, suchelectronic devices typically include a set of one or more processorscoupled to one or more other components, such as a storage device, oneor more user input/output devices (e.g., a keyboard and/or a display),and a network connection. The coupling of the set of processors andother components is typically through one or more busses and bridges(also termed as bus controllers). The storage device and signalscarrying the network traffic respectively represent one or more machinestorage media and machine communication media. Thus, the storage deviceof a given electronic device typically stores code and/or data forexecution on the set of one or more processors of that electronicdevice. Of course, one or more parts of an embodiment of the inventionmay be implemented using different combinations of software, firmware,and/or hardware.

As used herein, a network element (e.g., a router, switch, bridge, etc.)is a piece of networking equipment, including hardware and software thatcommunicatively interconnects other equipment on the network (e.g.,other network elements, computer end stations, etc.). Customer computerend stations (e.g., workstations, laptops, palm tops, mobile phones,etc.) access content/services provided over the Internet and/orcontent/services provided on associated networks such as the Internet.The content and/or services are typically provided by one or more servercomputing end stations belonging to a service or content provider, andmay include public webpages (free content, store fronts, searchservices, etc.), private webpages (e.g., username/password accessedwebpages providing email services, etc.), corporate networks over VPNs,etc. Typically, customer computing end stations are coupled (e.g.,through customer premise equipment coupled to an access network,wirelessly to an access network) to edge network elements, which arecoupled through core network elements of the Internet to the servercomputing end stations.

In general in the description of the figures, like reference numbers areused to represent like elements.

Referring now to FIG. 1 wherein there may be seen a network 100 havingnetwork nodes 102, 112, 122, 132, and 142. The network nodes areconnected via interfaces 103 on network node 102; interfaces 111, 113,and 115 on network node 112; interfaces 121, 123, and 125 on networknode 122; interfaces 131, and 133 on network node 132; and interface 141on network node 142. Interfaces may either be enabled forencryption-plus-authentication or disabled forencryption-plus-authentication. Bold links 160, 161, and 162 betweeninterfaces are enabled for encryption-plus-authentication and un-boldedlinks are not enabled for encryption-plus-authentication, namely thelinks connecting interfaces 103 and 111, and interfaces 125 and 141.Interfaces 103, 111, 125 and 141 are not enabled forencryption-plus-authentication, while interfaces, 113, 115, 121, 123,131, and 133 are enabled for encryption-plus-authentication. Interface103 connects to interface 111; interface 113 connects to interface 131;interface 115 connects to interface 121; interface 133 connects tointerface 123; and interface 125 connects to interface 141.

Boundary contour 150 indicates the extent of the secured and encrypteddomain within network 100, namely the domain consisting of the encryptedinterfaces 113 and 115 on network node 112 and its internal routingfunction, the encrypted interfaces 121 and 123 on network node 122 andits internal routing function, and interfaces 131 and 133 on networknode 132 and its internal routing function.

In operation, communication within the secured domain is encrypted,whereas communication outside the domain boundary is unencrypted.Communication that crosses the security boundary 150 changes theencryption status of the packet using the encryption scheme adoptedwithin the secure domain boundary. This is effected by, firstconfiguring the interfaces so that they are either enabled forencryption or not enabled for encryption. Routing information alreadyavailable on the node is then used to determine when:

1) a packet is to be forwarded from an ingress interface disabled forencryption to an egress interface disabled for encryption, implying thepacket is to remain outside the security domain boundary and noencryption or un-encryption operations will be applied to the packet.

2) a packet is to be forwarded from an ingress interface disabled forencryption to an egress interface enabled for encryption, implying thepacket is to cross the security domain boundary from the unsecure domainto the secure domain and will require the node to apply the encryptionscheme (encrypt) to the packet before forwarding out the egressinterface.

3) a packet is to be forwarded from an ingress interface enabled forencryption to an egress interface disabled for encryption, implying thepacket is to cross the security domain boundary from the secure domainto the unsecure domain and will require the node to remove theencryption scheme (unencrypt) from the packet before forwarding out theegress interface.

4) a packet is to be forwarded from an ingress interface enabled forencryption to an egress interface also enabled for encryption, implyingthe packet is already encryption within the security domain boundary andwill remain within the domain and no encryption or un-encryptionoperation will be applied to the packet.

By way of example, using the network nodes depicted in FIG. 1 it can beseen that a packet from interface 103 on network node 102 and destinedfor network node 142 has two possible paths through secure domain 150.The first path is from network node 112 to network node 122 and thenceto destination node 142. Via this path, network node 112 receives thepacket on interface 111 that is disabled for encryption and proceeds toforward it to egress interface 115. As egress interface 115 is enabledfor encryption and connects to interface 121 on another network nodewithin the secure domain, egress interface 115 must encrypt all packetsthat egress the interface and originated from an interface disabled forencryption. Therefore, according to an embodiment of the invention,network node 112 encrypts the packet from interface 111 and sends theencrypted packet out egress interface 115 towards interface 121 on node122. Network node 122 receives the encrypted packet on interface 121which is enabled for encryption, recognizes from routing informationthat the destination node is network node 142 and prepares to forward itvia the encryption disabled egress interface 125. Egress interface 125is not enabled for encryption as it and node 142 are outside of thesecure domain. Therefore the node 122 recognizes this transition fromthe secure domain to the unsecure domain, unencrypts the packet and thenforwards it out interface 125 towards node 142 where it is received oninterface 141 by network node 142.

The second path from network node 102 to destination node 142 is via, insequence, secure domain network nodes 112, 132, and 122. Via this path,network node 112 receives the packet on interface 111 that is disabledfor encryption and proceeds to forward it to egress interface 113. Asegress interface 113 is enabled for encryption and connects to interface131 on another network node within the secure domain, egress interface113 must encrypt all packets that egress the interface and originatedfrom an interface disabled for encryption. Therefore, according to anembodiment of the invention, network node 112 encrypts the packet frominterface 111 and sends the encrypted packet out egress interface 113towards interface 131 on node 132. Network node 132 receives the packetat encryption enabled interface 131 and proceeds to forward it viaencryption enabled interface 133 towards interface 123 on network node122. Since network node 132 recognizes the packet as being received onencrypted interface 131, node 132 knows the packet has already beenencrypted and checks for encryption on the packet's receipt to verifythat is true. If not true then packet may be an intruder packet and mustbe dropped. If true, then the packet can be forwarded. Node 132 thenrecognizes the egress interface 133 is also enabled for encryption andthus merely forwards the packet out interface 133 leaving the existingencryption scheme used on the packet in place. Network node 122 receivesthe encrypted packet on encryption enabled interface 123, recognizesfrom routing information that the destination node is network node 142and determines it must forward the packet via encryption disabled egressinterface 125. Since, egress interface 125 is not enabled for encryptionas it is connected to a node outside of the secure domain, node 122therefore unencrypts the packet before forwarding and then forwards itout encryption disabled interface 125 towards node 142 where it isreceived on interface 142.

Thus, dependent upon the encryption enablement of the ingress and egressinterfaces, the egress interface will either encrypt and forward thepacket, unencrypt and forward the packet, or leave the packet eitherencrypted or unencrypted as originally received and forward it as is.

In operation all the network nodes within the secure domain share theencryption and authentication key information. The encryption andauthentication key information is forwarded and stored at the nodes. Theparticular encryption key in use on a particular packet is indicated bythe SPID contained in the header portion of the packet.

Referring again to FIG. 1, there may be seen Service Aware Manager 172which is connected to network element 111 by secure communication link173, to network element 122 by secure communication link 174, and tonetwork element 132 by secure communication link 175 respectively.Communication links 173, 174 and 175 may be effected by any appropriatesecure protocol, for example Secure Shell (SSH) protocol. Service AwareManager 172 provides network elements 112, 122, and 132 the encryptionlabel used to identify packets that have been encrypted. The encryptionlabel is a network wide label value that is recognized by all nodes toidentify encrypted packets on reception and to indicate encryption ofpackets on transmissions. It also provides network elements 112, 122,and 132 the necessary encryption and authentication keys required tocoordinate encrypted communications between SDPs.

The encryption of Layer 3 traffic ensures that the user plane data isprotected; that the network topology cannot be discovered by an attacker(via encrypting Internet Gateway Protocol (IGP) messages such as that ofIS-IS (Intermediate System to Intermediate System) and OSPF (OpenShortest Path First); and that signaling and synchronization protocolscannot be attacked (including RSVP (Resource Reservation Protocol) andT-LDP (Targeted Label Distribution Protocol) messaging.

Referring to FIG. 2 wherein there may be seen a network 200 havingnetwork nodes 202, 212, 222, 232, and 242. The network nodes communicatecontrol plane traffic with one another via connected interfaces 203 onnetwork node 202; interfaces 211, 213, and 215 on network node 212;interfaces 221, 223, and 225 on network node 222; interfaces 231, and233 on network node 232; and interface 241 on network node 242.Interfaces may either be enabled for encryption-plus-authentication ordisabled for encryption-plus-authentication. Bold links 260, 261, and262 between interfaces are enabled for encryption-plus-authenticationand un-bolded links between nodes are not enabled forencryption-plus-authentication. Interfaces 203 and 241 are not enabledfor encryption-plus-authentication, while interfaces 211, 213, 215, 221,223, 231, and 233 are enabled for encryption-plus-authentication.Interface 203 connects to interface 211; interface 213 connects tointerface 231; interface 215 connects to interface 221; interface 233connects to interface 223; and interface 225 connects to interface 241.

Boundary contour 250 indicates the extent of the secured domain withinnetwork 200, namely the domain consisting of the encrypted interfaces213 and 215 on network node 212 and its internal routing function, theencrypted interfaces 221 and 223 on network node 222 and its internalrouting function, and interfaces 231 and 233 on network node 232 and itsinternal routing function.

Within network nodes 212, 222, and 232 may be seen control processors216, 226 and 234 respectively, which represent the processing elementsof each node that process control plane packets. The control processors216, 226 and 234 are shown outside of secure domain 250 as they processunencrypted data. Links 263, 269, and 264 show the connection betweencontrol processor 216 and interface 211, 213 and 215 respectively.Likewise links 265, 270, and 266 show the connection between controlprocessor 226 and interface 221, 223 and 225 respectively. As well,links 267 and 268 show the connection between control processor 234 andinterface 231 and 235 respectively.

Referring to FIG. 3 a there may be seen a Layer 3 encrypted packethaving an Ethernet header according to an embodiment of the invention.Packet segment 301 contains the Ethernet header, and packet segment 302contains the IP data. Packet segment 303 contains the ESP/AH(Encapsulating Security Payload/Authentication Header) data. Packetsegment 304 contains the encrypted payload, including data segment 305,and packet segment 306 contains the authentication data.

Referring to FIG. 3 b there may be seen a Layer 3 encrypted packethaving an IP header according to an embodiment of the invention. Packetsegment 311 contains the IP header, and packet segment 312 contains theSPI (Security Parameter Index) data. Packet segment 313 contains thesequence number. In this packet, packet segments 312 and 313 comprisethe ESP (Encapsulating Security Payload) header. Packet segment 314contains the encrypted payload, including data segment 315. Packetsegment 316 contains the authentication data.

Referring now to FIG. 4, a network equipment processor assembly 400which in certain embodiments may be used in the handling of packets,includes a network equipment processor element 406 (e.g., a centralprocessing unit (CPU) and/or other suitable processor(s)), a memory 408(e.g., random access memory (RAM), read only memory (ROM), and thelike), a cooperating module/process 402, and various input/outputdevices 404 (e.g., a user input device (such as a keyboard, a keypad, amouse, and the like), a user output device (such as a display, aspeaker, and the like), an input port, an output port, a receiver, atransmitter, and storage devices (e.g., a tape drive, a floppy drive, ahard disk drive, a compact disk drive, and the like)).

It will be appreciated that the functions depicted and described hereinmay be implemented in hardware, for example using one or moreapplication specific integrated circuits (ASIC), and/or any otherhardware equivalents. Alternatively, according to one embodiment, thecooperating process 402 can be loaded into memory 408 and executed bynetwork equipment processor 406 to implement the functions as discussedherein. As well, cooperating process 402 (including associated datastructures) can be stored on a tangible, non-transitory computerreadable storage medium, for example magnetic or optical drive ordiskette, semiconductor memory and the like.

It is contemplated that some of the steps discussed herein as methodsmay be implemented within hardware, for example, as circuitry thatcooperates with the network equipment processor to perform variousmethod steps. Portions of the functions/elements described herein may beimplemented as a computer program product wherein computer instructions,when processed by a network equipment processor, adapt the operation ofthe network equipment processor such that the methods and/or techniquesdescribed herein are invoked or otherwise provided. Instructions forinvoking the inventive methods may be stored in fixed or removablemedia, and/or stored within a memory within a computing device operatingaccording to the instructions.

Therefore what has been disclosed is a method for encrypting all userand control plane traffic traversing nodes in a network.

Note, in the preceding discussion a person of skill in the art wouldreadily recognize that steps of various above-described methods can beperformed by appropriately configured network processors. Herein, someembodiments are also intended to cover program storage devices, e.g.,digital data storage media, which are machine or computer readable andencode machine-executable or computer-executable programs ofinstructions, wherein said instructions perform some or all of the stepsof said above-described methods. The program storage devices are alltangible and non-transitory storage media and may be, e.g., digitalmemories, magnetic storage media such as a magnetic disks and magnetictapes, hard drives, or optically readable digital data storage media.The embodiments are also intended to cover network element processorsprogrammed to perform said steps of the above-described methods.

Numerous modifications, variations and adaptations may be made to theembodiment of the invention described above without departing from thescope of the invention, which is defined in the claims.

What is claimed is:
 1. A method of encrypting data for a network havinga plurality of network elements, each of said plurality of networkelements having a connection between a respective ingress interface to arespective egress interface of another network element of said pluralityof network elements, and a subset of said plurality of network elementscomprising a secured domain, the method comprising: at a first networkelement, which is a member of said subset of network elements and insidethe secured domain, encrypting all unencrypted Layer 3 packets as theyegress the respective egress interface, wherein said egress interface isenabled for encryption; at said first network element, unencrypting allencrypted Layer 3 packets as they egress the respective egressinterface, wherein said egress interface is not enabled for encryptionand is outside the secured domain; and at said first network element,leaving encrypted all encrypted Layer 3 packets as they egress therespective egress interface, wherein said egress interface is enabledfor encryption.
 2. The method as claimed in claim 1, wherein saidencrypting is associated with an encryption protocol that is one of agroup of DES, 3DES, Blowfish, Twofish, Serpent, SNOW 3G, Kasumi-F8,AES-128, AES-192, and AES-256.
 3. A system for providing a secureddomain, comprising: a plurality of network elements, each of saidplurality of network elements having a connection between a respectiveingress interface to a respective egress interface of another networkelement of said plurality of network elements; a subset of saidplurality of network elements comprising said secured domain; a firstnetwork element which is a member of said subset of network elements andinside the secured domain, which encrypts all unencrypted Layer 3packets as they egress the respective egress interface, wherein saidegress interface is enabled for encryption; said first network elementfurther unencrypting all encrypted Layer 3 packets as they egress therespective egress interface, wherein said egress interface is notenabled for encryption and is outside the secured domain; and said firstnetwork element leaving encrypted all encrypted Layer 3 packets as theyegress the respective egress interface, wherein said egress interface isenabled for encryption.
 4. The system as claimed in claim 3, whereinsaid encrypting is associated with an encryption protocol that is one ofa group of DES, 3DES, Blowfish, Twofish, Serpent, SNOW 3G, Kasumi-F8,AES-128, AES-192, and AES-256.
 5. A non-transitory machine readablestorage medium encoded with instructions for execution by a processor ata first network element for a network having a plurality of networkelements, each of said plurality of network elements having a connectionbetween a respective ingress interface to a respective egress interfaceof another network element of said plurality of network elements, and asubset of said plurality of network elements comprising a secureddomain, and said first network element a member of said subset andinside the secured domain, the medium comprising: instructions forencrypting all unencrypted Layer 3 packets as they egress the respectiveegress interface of said first network element when said egressinterface is enabled for encryption; instructions for unencrypting allencrypted Layer 3 packets as they egress the respective egress interfaceof said first network element when said egress interface is not enabledfor encryption and is outside the secured domain; and instructions forleaving encrypted all encrypted Layer 3 packets as they egress therespective egress interface of said first network element when saidegress interface is enabled for encryption.
 6. The non-transitorymachine readable storage medium as claimed in claim 3, wherein saidencrypting is associated with an encryption protocol that is one of agroup of DES, 3DES, Blowfish, Twofish, Serpent, SNOW 3G, Kasumi-F8,AES-128, AES-192, and AES-256.